Display Certificate Stores

Using the Certificates snap-in, you can display the certificate store for a user, a computer, or a service according to the purpose for which the certificates were issued or by using their logical storage categories. When you display certificates according to their storage categories, you can also choose to display the physical stores, showing the certificate storage hierarchy. (This is recommended for advanced users only.)

If you have the user rights to do so, you can import or export certificates from any of the folders in the certificate store. Additionally, if the private key associated with a certificate is marked as available for export, you can export both into a PKCS #12 file.

Windows can also publish certificates to Active Directory Domain Services (AD DS). Publishing a certificate in AD DS enables all users or computers with adequate permissions to retrieve the certificate as needed.

Certificate stores

Certificates can be displayed by purpose or by logical stores, as shown in the following table. Displaying certificates by logical stores is the default in the Certificates snap-in.

Note

The list of certificate purpose stores does not include all the possible purpose stores.

Display by

Folder name

Contents

Logical store

Personal

Certificates associated with private keys to which you have access. These are the certificates that have been issued to you or to the computer or service for which you are managing certificates.

Trusted Root Certification Authorities

Implicitly trusted certification authorities (CAs). Includes all of the certificates in the Third-Party Root Certification Authorities store plus root certificates from your organization and Microsoft.

If you are an administrator and want to add non-Microsoft CA certificates to this store for all computers in an Active Directory domain, you can use Group Policy to distribute trusted root certificates to your organization.

Enterprise Trust

A container for certificate trust lists. A certificate trust list provides a mechanism for trusting self-signed root certificates from other organizations and limiting the purposes for which these certificates are trusted.

Intermediate Certification Authorities

Certificates issued to subordinate CAs. If you are an administrator, you can use Group Policy to distribute certificates to the Intermediate Certification Authorities store.

Trusted People

Certificates issued to people or end entities that are explicitly trusted. Most often these are self-signed certificates or certificates explicitly trusted in an application such as Microsoft Outlook. If you are a domain administrator, you can use Group Policy to distribute certificates to the Trusted People store.

Other People

Certificates issued to people or end entities that are implicitly trusted. These certificates must be part of a trusted certification hierarchy. Most often these are cached certificates for services such as Encrypting File System (EFS), where certificates are used for creating authorization for decrypting an encrypted file.

Trusted Publishers

Certificates from CAs that are trusted by software restriction policies. If you are a domain administrator, you can use Group Policy to distribute certificates to the Trusted Publishers store.

Disallowed Certificates

These are certificates that you have explicitly decided not to trust either by using software restriction policies or by choosing not to trust a certificate when the decision is presented to you in e-mail or a Web browser. If you are a domain administrator, you can use Group Policy to distribute certificates to the Disallowed Certificates store.

Third-Party Root Certification Authorities

Trusted root certificates from CAs other than Microsoft and your organization. You cannot use Group Policy to distribute certificates to the Third-Party Root Certification Authorities store.

Certificate Enrollment Requests

Pending or rejected certificate requests.

Active Directory User Object

Certificates associated with your user object and published in AD DS.

Purpose

Server Authentication

Certificates that server programs use to authenticate themselves to client computers.

Client Authentication

Certificates that client programs use to authenticate themselves to servers.

Code Signing

Certificates associated with key pairs used to sign active content.

Secure E-mail

Certificates associated with key pairs used to sign e-mail messages.

Encrypting File System

Certificates associated with key pairs that encrypt and decrypt the symmetric key used for encrypting and decrypting data by EFS.

File Recovery

Certificates associated with key pairs that encrypt and decrypt the symmetric key used for recovering encrypted data by EFS.

When you view certificates by logical store, you will occasionally see what appears to be two copies of the same certificate in the store. This occurs because the same certificate is stored in separate physical stores under a logical store. When the contents of the physical certificate stores are combined into one logical store view, both instances of the same certificate are displayed.

You can verify this by setting View Options to show the Physical certificate stores and then noting that the certificate is stored in separate physical stores under the same logical store. You can verify that it is the same certificate by comparing the serial numbers.